This past year has seen its usual collection of exploits, vulnerabilities, attacks and data leaks. But let’s take a look back and see if we can learn a few lessons from the progress of time.
Of all stories, it certainly seems like this year has been a watershed in terms of major ransomware attacks. From Locky, Petya, Mirai, WannaCry, and BadRabbit, we haven’t had much time in between each attack to bounce back. Furthermore, the attacks are getting bigger and more intrusive and more targeted.
Moral: Patch now and forever. Make sure you don’t delay when you hear about an exploit, because any delay can be used by attackers to enter your network. (I am talking to you, Equifax.) Have a plan in place and make sure it covers all of your critical OS and apps.
Probably the second most often occurring event of the year was the series of stories about unsecured AWS storage buckets. Not to pick on Amazon, but this is the case for any cloud provider. Sadly, this isn’t new, and this trend will continue. As your cloud infrastructure becomes more complex, it is easier to forget about setting the right access rights and easy to let something slip by.
A companion warning to insecure cloud storage is to understand how to make use of the newer cloud tools and containers such as “serverless” computing that is coming into fashion. This involves code running in a well-defined sandbox that is deleted after the code executes. A proof-of-concept exploit explained at the last BlackHat conference shows that at least there is one vulnerability in this area. Certainly, serverless attacks will become more prominent in the coming years as containers and these tools become more popular.
Moral: Make sure your cloud instances are set up properly and understand the specialized security issues involving containers.
Malware is getting sneakier and better at hiding itself. I wrote about the rise of fileless malware earlier in the year, and this is just one of many methods that malware can make it harder to be detected. There will continue to be lots of cases where malware can hijack legitimate Windows services and make use of other programming tricks to evade detection.
Moral: Tune your defenses accordingly. Behavioral tracking methods are more important than ever, and remember to patch quickly when exploits are discovered.
Treat crypto certificates as if they matter more than money, because when they fail, the consequences will cost you a boatload. Look at what happened recently to LinkedIn: they used a third-party security consultant who let their SSL certs expire and their site was down for a day until the issue was resolved. This doesn’t help keep your customers’ trust, especially on a user-supplied data-rich site like LinkedIn. Review this article about some of the cert management issues and spend some time making sure all of your digital certs are properly accounted for.
Moral: Don’t delegate this to some third-party without a lot of checks and balances.
Finally, the use of open source software continues to rise, and with it comes an obligation to ensure that you consider security as part of the devops process. A recent survey of open source users found that almost half of the code maintainers never audit their code, and less than 17 percent feel they have high security knowledge. Code vulnerabilities are on the rise for open source projects pretty much across the board -- but not for Red Hat Linux. Last year, two thirds of Red Hat vulnerabilities were fixed within a day of public disclosure.
Moral: build security into your projects at the beginning.
David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 25 years. He has had several editorial management positions for both print and online properties and currently writes for Dice, Techtarget's SearchSecurity.com, ITworld.com and Network World. Find him on Twitter @dstrom and on his website strominator.com.